cmichel
When a user deposits to the treasury they first approve the contract and then call its deposit action which performs an ERC20.transferFrom.
Itβs possible for an attacker to frontrun the final deposit transaction after the user approval and turn the deposit into a sponsor this way, which is basically a free donation to a market outcome (card).
The attacker can create their own market where they are the only participant betting on a card that is guaranteed to win.
Attack:
User deposits can be stolen.
The sponsor function should not allow specifying a custom sponsorAddress.
The market should pull in the amounts from msg.sender using ERC20.transferFrom(msg.sender, amount) and then forward this amount to the treasury using a simple ERC20.transfer(treasury, amount) followed by the treasury.sponsor call that does the remaining book-keeping.
The text was updated successfully, but these errors were encountered:
All reactions